The Open Web Application Security Project (OWASP) Los Angeles Chapter has teamed up with the Orange County, Inland Empire, San Diego, and San Francisco Bay Area chapters to bring you another great AppSec California. Join us and your peers for amazing talks and networking on January 22-25, 2019!
Back To Schedule
Thursday, January 24 • 11:00am - 11:50am
The White Hat’s Advantage: Open-source OWASP tools to aid in penetration testing coverage

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
White hat penetration testers are generally at a disadvantage compared to the malicious attackers they help defend against. They have limited time and resources to secure the entire application, whereas attackers have unlimited time and may only need a single vulnerability. This session will discuss how web application penetration testers can improve the efficiency and comprehensiveness of their white box testing using two new open source OWASP tools. These tools leverage access to application source code and server bytecode to provide an advantage to the penetration tester working with the development team.

The first tool, OWASP Code Pulse, uses glass box testing techniques to instrument the web application server bytecode to provide real-time code coverage while testing the application. This allows the penetration tester to measure how much of the application’s server code their testing has touched, and visually displays gaps in their testing coverage. This real-time feedback helps testers tune their testing to maximize the amount of code covered, compare performance of different testing tools and activities, and communicate useful metrics of testing activity to others.

The second tool, Attack Surface Detector performs static code analysis to first detect the web application endpoints, parameters, and parameter datatypes. This information is then pulled into the Burp Suite and OWASP ZAP web application testing suites to allow for rapid dynamic testing of the discovered attack surface. The benefit of this approach over traditional spidering techniques is that hidden endpoints are found without brute force guessing, and optional parameters not seen in the client-side code are discovered. The Attack Surface Detector is being continually updated; the most recently added functionality includes seeing endpoint differences between application versions, so penetration testers can focus their testing only on the changes.

Recent features and major releases will be discussed, a brief demonstration of the tools will be given, and a question and answer portion will complete the session. We are particularly interested in feedback from the audience on whether these tools help their specific needs and what future improvements would make them even better.


Vincent Hopson

Field Applications Engineer, CodeDx
Vincent Hopson is a Field Application Engineer at Code Dx. Vincent has been working in the application security and software quality field for over 20 years and has worked with many organizations on integrating software security into their software development process.

Thursday January 24, 2019 11:00am - 11:50am PST
Club Room